We were recently looking into a somewhat convoluted situation with a vulnerability in a WordPress plugin. Part of investigating that involved checking on something involving usage of a nonce for those not logged in to WordPress. Nonces are used to protect against cross-site request forgery (CSRF) vulnerabilities. It turns out that if you do a web search looking to see if those can be used those for those not logged in, you can get some pretty poor information. Part of the problem is that there are people handing out security advice that don’t know what they are talking about. That includes the moderators of WordPress Support Forum. Here was the long winded non-answer one of them gave to someone asking a specific question about nonces with those not-logged in to WordPress:
There are few absolutes in security. A trade off between difficulty and benefits gained. It’s “better” to use a nonce to help ensure the data is coming from your own form. In some cases the security gained would be so minimal that it wouldn’t matter much. If you make the effort anyway, there’s no harm in it. Rather than following “rules” you read here and there, it’s better to actually understand the security implications and consequences and act accordingly to a specific situation. Granted, easier said than done. Security is an ever evolving topic. Lacking such understanding, better safe than sorry is a reasonable approach. [Read more]